From 5ef0b4edf619183c8d361db69e5db8fa1e57a5de Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Thu, 11 Dec 2025 23:54:43 -0300 Subject: [PATCH] mailu: capture helm release and cert --- .gitignore | 4 +- README.md | 3 + .../applications/kustomization.yaml | 1 + .../applications/mailu/kustomization.yaml | 18 ++ clusters/atlas/flux-system/gotk-sync.yaml | 2 +- infrastructure/core/kustomization.yaml | 1 + .../cert-manager/letsencrypt-prod.yaml | 14 ++ infrastructure/sources/helm/mailu.yaml | 9 + services/mailu/certificate.yaml | 13 ++ services/mailu/helmrelease.yaml | 170 ++++++++++++++++++ services/mailu/kustomization.yaml | 8 + services/mailu/namespace.yaml | 5 + 12 files changed, 246 insertions(+), 2 deletions(-) create mode 100644 README.md create mode 100644 clusters/atlas/flux-system/applications/mailu/kustomization.yaml create mode 100644 infrastructure/sources/cert-manager/letsencrypt-prod.yaml create mode 100644 infrastructure/sources/helm/mailu.yaml create mode 100644 services/mailu/certificate.yaml create mode 100644 services/mailu/helmrelease.yaml create mode 100644 services/mailu/kustomization.yaml create mode 100644 services/mailu/namespace.yaml diff --git a/.gitignore b/.gitignore index c317064..20e9e72 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -AGENTS.md +# Ignore markdown by default, but keep top-level docs +*.md +!README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..016e0bb --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# titan-iac + +Flux-managed Kubernetes cluster for bstein.dev services. See `AGENTS.md` for contributor guidance and service-specific manifests under `services/` and `infrastructure/`. diff --git a/clusters/atlas/flux-system/applications/kustomization.yaml b/clusters/atlas/flux-system/applications/kustomization.yaml index 1bc2700..daf1c42 100644 --- a/clusters/atlas/flux-system/applications/kustomization.yaml +++ b/clusters/atlas/flux-system/applications/kustomization.yaml @@ -15,3 +15,4 @@ resources: - sui-metrics/kustomization.yaml - keycloak/kustomization.yaml - oauth2-proxy/kustomization.yaml + - mailu/kustomization.yaml diff --git a/clusters/atlas/flux-system/applications/mailu/kustomization.yaml b/clusters/atlas/flux-system/applications/mailu/kustomization.yaml new file mode 100644 index 0000000..09db2fd --- /dev/null +++ b/clusters/atlas/flux-system/applications/mailu/kustomization.yaml @@ -0,0 +1,18 @@ +# clusters/atlas/flux-system/applications/mailu/kustomization.yaml +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: mailu + namespace: flux-system +spec: + interval: 10m + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + path: ./services/mailu + targetNamespace: mailu-mailserver + prune: true + wait: true + dependsOn: + - name: helm diff --git a/clusters/atlas/flux-system/gotk-sync.yaml b/clusters/atlas/flux-system/gotk-sync.yaml index 4076ef6..26dc23f 100644 --- a/clusters/atlas/flux-system/gotk-sync.yaml +++ b/clusters/atlas/flux-system/gotk-sync.yaml @@ -8,7 +8,7 @@ metadata: spec: interval: 1m0s ref: - branch: feature/sso + branch: feature/mailu secretRef: name: flux-system-gitea url: ssh://git@scm.bstein.dev:2242/bstein/titan-iac.git diff --git a/infrastructure/core/kustomization.yaml b/infrastructure/core/kustomization.yaml index 1f56f6d..14d6a02 100644 --- a/infrastructure/core/kustomization.yaml +++ b/infrastructure/core/kustomization.yaml @@ -5,3 +5,4 @@ resources: - ../modules/base - ../modules/profiles/atlas-ha - ../sources/cert-manager/letsencrypt.yaml + - ../sources/cert-manager/letsencrypt-prod.yaml diff --git a/infrastructure/sources/cert-manager/letsencrypt-prod.yaml b/infrastructure/sources/cert-manager/letsencrypt-prod.yaml new file mode 100644 index 0000000..65bf316 --- /dev/null +++ b/infrastructure/sources/cert-manager/letsencrypt-prod.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + email: brad.stein@gmail.com + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-prod-account-key + solvers: + - http01: + ingress: + class: traefik diff --git a/infrastructure/sources/helm/mailu.yaml b/infrastructure/sources/helm/mailu.yaml new file mode 100644 index 0000000..5cd56e2 --- /dev/null +++ b/infrastructure/sources/helm/mailu.yaml @@ -0,0 +1,9 @@ +# infrastructure/sources/helm/mailu.yaml +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: mailu + namespace: flux-system +spec: + interval: 1h + url: https://mailu.github.io/helm-charts diff --git a/services/mailu/certificate.yaml b/services/mailu/certificate.yaml new file mode 100644 index 0000000..83cc17c --- /dev/null +++ b/services/mailu/certificate.yaml @@ -0,0 +1,13 @@ +# services/mailu/certificate.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mailu-tls + namespace: mailu-mailserver +spec: + secretName: mailu-certificates + issuerRef: + kind: ClusterIssuer + name: letsencrypt-prod + dnsNames: + - mail.bstein.dev diff --git a/services/mailu/helmrelease.yaml b/services/mailu/helmrelease.yaml new file mode 100644 index 0000000..3710479 --- /dev/null +++ b/services/mailu/helmrelease.yaml @@ -0,0 +1,170 @@ +# services/mailu/helmrelease.yaml +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: mailu + namespace: mailu-mailserver +spec: + interval: 30m + chart: + spec: + chart: mailu + version: 2.1.2 + sourceRef: + kind: HelmRepository + name: mailu + namespace: flux-system + install: + remediation: { retries: 3 } + upgrade: + remediation: { retries: 3 } + values: + mailuVersion: "2024.06" + domain: bstein.dev + hostnames: [mail.bstein.dev] + domains: + - name: bstein.dev + enabled: true + dkim: + enabled: true + timezone: Etc/UTC + subnet: 10.42.0.0/16 + existingSecret: mailu-secret + externalDatabase: + enabled: true + type: postgresql + host: postgres-service.postgres.svc.cluster.local + port: 5432 + database: mailu + username: mailu + existingSecret: mailu-db-secret + existingSecretUsernameKey: username + existingSecretPasswordKey: password + existingSecretDatabaseKey: database + initialAccount: + enabled: true + username: test + domain: bstein.dev + existingSecret: mailu-initial-account-secret + existingSecretPasswordKey: password + persistence: + accessModes: [ReadWriteMany] + size: 100Gi + storageClass: astreae + single_pvc: true + front: + hostnames: [mail.bstein.dev] + proxied: true + https: + enabled: true + external: true + forceHttps: false + externalService: + enabled: true + type: LoadBalancer + externalTrafficPolicy: Local + nodePorts: + pop3: 30010 + pop3s: 30011 + imap: 30143 + imaps: 30993 + manageSieve: 30419 + smtp: 30025 + smtps: 30465 + submission: 30587 + logLevel: DEBUG + nodeSelector: + hardware: rpi4 + admin: + logLevel: DEBUG + nodeSelector: + hardware: rpi4 + extraEnvVars: + - name: FLASK_DEBUG + value: "1" + - name: ACCESSLOG + value: /dev/stdout + - name: ERRORLOG + value: /dev/stderr + - name: WEBROOT_REDIRECT + value: "" + - name: FORWARDED_ALLOW_IPS + value: 127.0.0.1,10.42.0.0/16 + - name: DNS_RESOLVERS + value: 1.1.1.1,9.9.9.9 + clamav: + logLevel: DEBUG + nodeSelector: + hardware: rpi4 + dovecot: + logLevel: DEBUG + nodeSelector: + hardware: rpi4 + oletools: + logLevel: DEBUG + nodeSelector: + hardware: rpi4 + postfix: + logLevel: DEBUG + nodeSelector: + hardware: rpi4 + redis: + enabled: true + architecture: standalone + logLevel: DEBUG + master: + nodeSelector: + hardware: rpi4 + persistence: + enabled: true + accessModes: [ReadWriteMany] + size: 8Gi + storageClass: astreae + rspamd: + logLevel: DEBUG + nodeSelector: + hardware: rpi4 + persistence: + accessModes: [ReadWriteOnce] + size: 8Gi + storageClass: astreae + tika: + logLevel: DEBUG + nodeSelector: + hardware: rpi4 + global: + logLevel: DEBUG + storageClass: astreae + webmail: + enabled: false + nodeSelector: + hardware: rpi4 + ingress: + enabled: true + ingressClassName: traefik + tls: true + existingSecret: mailu-certificates + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + extraRules: + - host: mail.bstein.dev + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: mailu-front + port: + number: 443 + service: + ports: + smtp: + port: 25 + targetPort: 25 + smtps: + port: 465 + targetPort: 465 + submission: + port: 587 + targetPort: 587 diff --git a/services/mailu/kustomization.yaml b/services/mailu/kustomization.yaml new file mode 100644 index 0000000..e934177 --- /dev/null +++ b/services/mailu/kustomization.yaml @@ -0,0 +1,8 @@ +# services/mailu/kustomization.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: mailu-mailserver +resources: + - namespace.yaml + - helmrelease.yaml + - certificate.yaml diff --git a/services/mailu/namespace.yaml b/services/mailu/namespace.yaml new file mode 100644 index 0000000..1f3831b --- /dev/null +++ b/services/mailu/namespace.yaml @@ -0,0 +1,5 @@ +# services/mailu/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: mailu-mailserver